[scap_interest] Questions from David Harrington

Stephen Hanna <shanna@juniper.net> Fri, 05 November 2010 04:49 UTC

Return-Path: <shanna@juniper.net>
X-Original-To: scap_interest@core3.amsl.com
Delivered-To: scap_interest@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7076C3A67B5 for <scap_interest@core3.amsl.com>; Thu, 4 Nov 2010 21:49:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vyMhWn0LDnKV for <scap_interest@core3.amsl.com>; Thu, 4 Nov 2010 21:49:23 -0700 (PDT)
Received: from exprod7og111.obsmtp.com (exprod7og111.obsmtp.com [64.18.2.175]) by core3.amsl.com (Postfix) with ESMTP id 4526D3A67C2 for <scap_interest@ietf.org>; Thu, 4 Nov 2010 21:49:23 -0700 (PDT)
Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob111.postini.com ([64.18.6.12]) with SMTP ID DSNKTNOM3gYU2BUSW1r4A1rilI6P7FDyCo8r@postini.com; Thu, 04 Nov 2010 21:49:35 PDT
Received: from p-emfe01-wf.jnpr.net (172.28.145.24) by P-EMHUB02-HQ.jnpr.net (172.24.192.36) with Microsoft SMTP Server (TLS) id 8.2.254.0; Thu, 4 Nov 2010 21:45:30 -0700
Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe01-wf.jnpr.net ([fe80::d0d1:653d:5b91:a123%11]) with mapi; Fri, 5 Nov 2010 00:45:29 -0400
From: Stephen Hanna <shanna@juniper.net>
To: "scap_interest@ietf.org" <scap_interest@ietf.org>
Date: Fri, 5 Nov 2010 00:45:26 -0400
Thread-Topic: Questions from David Harrington
Thread-Index: Act8pEQAeCo3PwzYQoC9RpPmilukqw==
Message-ID: <AC6674AB7BC78549BB231821ABF7A9AE907230F827@EMBX01-WF.jnpr.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [scap_interest] Questions from David Harrington
X-BeenThere: scap_interest@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <scap_interest.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/scap_interest>
List-Post: <mailto:scap_interest@ietf.org>
List-Help: <mailto:scap_interest-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Nov 2010 04:49:24 -0000

David Harrington sent me some questions about SCAP and the SCAP BOF
recently. These questions (included below) are thought-provoking.
They should get some good discussions going on this list.

Since I'm not an SCAP expert, I don't have answers to all of these
myself. I have asked some SCAP experts to answer them. Please use
a separate thread for each question so that people can follow the
discussions more easily.

Thanks,

Steve Hanna

-----------

To help the BOF organizers, I have some basic questions I would like
to have answered during the BOF (and on the mailing list)

1) NIST is a national standardization organization. Is NIST/Mitre/DHS
willing to give change control
to IETF to develop this into an international standard? 

2) Will the the NVD be made available for use with the international
standard, by the whole IETF community? What requirements must be met
to be allowed to access the NVD database?

3) various proposals to standardize IDS-related technologies have
failed in IETF, mostly
because the industry players seem not very interested in standards.
Major players use their vulnerability and signature libraries as
value-add features. They seem to develop proprietary protocols to suit
their specific applications. Why will this be different?

4) In the past, IDS work has not been considered IETF work; IDS
vendors tend to have their own security-related fora for sharing
information. NEA has been brought into the IETF from the TSG, and the
IEEE has created the Industry Connections Security Group that focuses
on standardizing malware definitions.  I personally would love to have
that community come into the IETF and use the IETF process for
**developing** the specifications, not just for approving the
specifications after they're done. Is the industry seriously
interested in participating in the IETF, or will they continue to
create multiple security fora to develop specifications and then bring
their specifications to the IETF for approval as RFCs?

5) The web page says "leaders in the SCAP community (including NIST,
NSA, MITRE, and commercial vendors) have decided to explore taking the
most stable and successful SCAP specifications to the IETF for
adoption as Standards Track RFCs." Are these leaders expecting the
IETF to rubber-stamp these mature/stable/successful specifications? I
am especially concerned by the explanation that this BOF is to
"explore whether the IETF would be an appropriate venue for such
standardization ***when ready***."  (emphasis mine). We have working
groups explicitly to do the development work, not to accept
specifications when ready.

6) Much of the SCAP standards are agreed-upon definitions, schemas,
etc. These apparently are registered with Mitre. The listshow.net web
page discusses this: "Formats for the existing enumerations such as
CVE and CCE are good candidates as well. Note we are only talking
about the actual enumeration formats, not the operational
uses/administration of the enumerations. That would remain outside the
IETF, as it is today."
Does this mean IANA would not administer the relevant registries for
these IETF standards? If not, how would the registrations be
administered, and who controls them? What are the requirements
(comparable to RFC5226)?

7) the web site says "We will continue to use this [open contribution]
model for the development of new SCAP specifications and
capabilities." Does this mean the SCAP community will work outside the
WG to continue development of SCAP proposals? The IETF has rules it
follows about things like downrefs, backwards compatibility,
interoperability requirements, etc. What happens if SCAP-developed
specifications do not interoperate properly with IETF standards
developed by the SCAP WG, because SCAP decides to use different rules?

8) I have concerns this appears to be a request to rubber-stamp a
national standard to make it an international standard. So if the IETF
rubber-stamps this work from NIST, will the IETF also rubber-stamp
work by CCSA? and comparable national standards organizations for UK,
France, Germany, Italy, Spain, Korea, Japan, Canada, and ... ?